CN101286919A - Method and device for implementing inter-access between virtual private networks by conversion of network addresses - Google Patents

Method and device for implementing inter-access between virtual private networks by conversion of network addresses Download PDF

Info

Publication number
CN101286919A
CN101286919A CNA200710090548XA CN200710090548A CN101286919A CN 101286919 A CN101286919 A CN 101286919A CN A200710090548X A CNA200710090548X A CN A200710090548XA CN 200710090548 A CN200710090548 A CN 200710090548A CN 101286919 A CN101286919 A CN 101286919A
Authority
CN
China
Prior art keywords
vpn
nat
address
source
conversion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA200710090548XA
Other languages
Chinese (zh)
Other versions
CN101286919B (en
Inventor
卢胜文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN200710090548XA priority Critical patent/CN101286919B/en
Priority to RU2008113089A priority patent/RU2406247C2/en
Publication of CN101286919A publication Critical patent/CN101286919A/en
Application granted granted Critical
Publication of CN101286919B publication Critical patent/CN101286919B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method for realizing exchange of visits by transforming NAT through network address among VPNs of a virtual private network. The method comprises the steps as follows: firstly, shared VPNs and a corresponding NAT address pool are configured, and the routing information of the NAT address pool is released to all VPNs; secondly, when a data packet visit is initiated in a source VPN, NAT of both the source address and the destination address are transformed according to the NAT address pool, and destination VPN is determined according to the destination address or the transformed destination address; finally, the routing transmission of the data packet is carried out in the destination VPN. The invention also discloses an NAT device that realizes exchange of visits among VPNs. By applying the method and the device that realize exchange of visits through NAT among VPNs of the invention can conveniently realize exchange of visits among VPNs; moreover, the method and the device of the invention have simple configuration and management and high security.

Description

Realize the method and the device of exchanging visit between Virtual Private Network by network address translation
Technical field
The present invention relates to networking technology area, especially refer to realize by NAT (Network Address Translation, network address translation) between a kind of VPN (Virtual Private Network, Virtual Private Network) method and the device of exchanging visit.
Background technology
High speed development along with Internet technology, use MPLS (Multiple Protocol Label Switch, the multiprotocol label conversion) provides L3VPN (Layer 3VPN for the user, layer three VPN) obtain more prevalent utilization, it is applied to networkings such as enterprise, government can realize inner Network Isolation at public network, but, also may there be the demand of exchanging visit between the different VPN simultaneously for the needs of practical application.
The direct exchanging visit of present many VPN can be by guaranteeing unique realization of the address assignment overall situation between VPN, but when requiring network construction, this scheme must carry out unified planning, later stage then manages in strict accordance with planning implementation, thereby bring big pressure to network management, simultaneously existing network is also needed to carry out again IP address assignment, it is bigger to transform difficulty, and uses the NAT technology not changing existing network, does not require the visit that realizes under the situation of overall situation unified distribution address between VPN.
NAT device generally is to be used for the conversion of private net address to public network address in the prior art, comprise that the NAT device that can support VPN also mainly is the problem that solves many VPN share and access public network, therefore for the exchanging visit between VPN, two VPN that exchange visits need be configured to respectively on the different NAT devices, conduct interviews by converting thereof into public network address then, as shown in Figure 1, the visit of 12 couples of VPN13 of VPN 11 and VPN and VPN 14 converts public network address by first address with VPN 11 and VPN 12 on NAT 15, and then public network address is converted to the private net address of VPN 13 or VPN 14 on NAT 16; The defective of this method is upward more complicated of its networking enforcement, owing to be to convert public network address to, so also may have potential safety hazard.Another method of utilizing NAT to carry out exchanging visits between VPN need realize by the man-to-man NAT conversion of configuration between exchanging visit VPN in the prior art; Continue as shown in Figure 1, if VPN 11~VPN 14 needs some inner servers of visit mutually, then need to be configured by VPN 11~VPN 12, VPN 11~VPN 13, VPN 11~VPN 14, VPN 12~VPN 13, VPN 12~VPN 14, VPN 13~VPN 14 respectively, thereby all cause big difficulty for configuration and management.
Summary of the invention
The purpose of this invention is to provide method and the device of realizing exchanging visit between a kind of VPN by NAT, to solve the bigger problem of realization complexity, configuration and management difficulty of exchanging visits between VPN in the prior art.
For achieving the above object, the present invention proposes to realize by NAT between a kind of VPN the method for exchanging visit, comprising:
VPN and corresponding nat address pool are shared in configuration, and the routing iinformation of described nat address pool is distributed to each VPN;
When source VPN initiates the packet visit, carry out the NAT conversion of source address and/or destination address according to described nat address pool, and determine purpose VPN according to the destination address after described destination address or the conversion;
In described purpose VPN, carry out the routing forwarding of packet.
Described routing forwarding of carrying out packet also comprises afterwards:
Set up the NAT conversational list according to the Route Distinguisher of described packet, described Route Distinguisher comprises: source VPN number, source address, destination address and purpose VPN number;
Described source VPN directly carries out the routing forwarding of follow-up data bag according to described NAT conversational list.
Described routing forwarding of carrying out packet also comprises afterwards:
Set up the reverse conversational list of NAT according to the reverse Route Distinguisher of described packet, described reverse Route Distinguisher comprises: destination address, purpose VPN number, source VPN number and source address, or shared VPN number, source VPN number and source address;
Described purpose VPN carries out the routing forwarding of reverse data bag to described source VPN according to the reverse conversational list of described NAT.
Described Route Distinguisher or reverse Route Distinguisher also comprise: the destination address after source address after the conversion and/or the conversion.
VPN is shared in described configuration and nat address pool also comprises: the NAT rule is configured;
When then described source VPN initiates the packet visit, whether carry out the NAT conversion according to the described source VPN of described NAT rule judgment, if the described NAT rule of then further inquiry need to determine the nat address pool of use, then carry out the NAT conversion of described source address and/or destination address afterwards according to Query Result.
Described routing forwarding of carrying out packet in purpose VPN further comprises:
According to described destination address or the routing table of inquiring about described purpose VPN of the destination address after carrying out NAT conversion;
Carry out the forwarding of described packet according to the forwarding route that inquiry obtains.
The described NAT conversion of carrying out source address and/or destination address also comprises:
Carry out the network address port of source port and/or destination interface according to described nat address pool and resolve the NAPT conversion;
The routing forwarding of then carrying out packet afterwards according to the destination address after destination address and destination interface or the NAPT conversion and destination interface.
Described nat address pool comprises: pond, source address reference address and pond, destination address reference address, described source/pond, destination address reference address is static translated address pond or dynamic translation address pool.
The present invention also proposes the NAT device of exchanging visits between a kind of VPN of realization, comprises sharing VPN dispensing unit, NAT converting unit and purpose VPN determining unit,
Described shared VPN dispensing unit is used to dispose the nat address pool of sharing VPN and correspondence;
Described NAT converting unit when source VPN initiates the packet visit, is carried out the NAT conversion of source address and/or destination address according to described nat address pool;
Described purpose VPN determining unit is inquired about described nat address pool according to the destination address after described destination address or the conversion, to determine to carry out the purpose VPN that packet is transmitted.
Also comprise conversational list unit and reverse conversational list unit,
Described conversational list unit, be used for setting up and storage NAT conversational list, carry out comprising according to described NAT conversational list realizing: source VPN number, source address, destination address and purpose VPN number from the routing forwarding and the described Route Distinguisher of the follow-up data bag of described source VPN according to the Route Distinguisher of packet;
Described reverse conversational list unit, be used for setting up and the reverse conversational list of storage NAT according to the reverse Route Distinguisher of packet, to realize carrying out reverse routing forwarding from the packet of described purpose VPN according to the reverse conversational list of described NAT, and described reverse Route Distinguisher comprises: destination address, purpose VPN number, source VPN number and source address, or shared VPN number, source VPN number and source address.
Described Route Distinguisher or reverse Route Distinguisher also comprise: the destination address after source address after the conversion and/or the conversion.
Also comprise regular dispensing unit, be connected with described NAT converting unit,
Described regular dispensing unit is used for the NAT rule is configured, and whether carries out the NAT conversion to determine described source VPN, and further determines whether to carry out the NAT conversion of source address and/or destination address.
Described NAT converting unit further comprises address transition subelement and port translation subelement,
Described address transition subelement carries out the NAT conversion of source address and/or destination address according to described nat address pool;
Described port translation subelement further carries out the NAPT conversion of corresponding source port and/or destination interface according to described nat address pool.
Described nat address pool comprises: pond, source address reference address and pond, destination address reference address, described source/pond, destination address reference address is static translated address pond or dynamic translation address pool.
Compared with prior art, realize the method for exchanging visit between VPN of the present invention by NAT, utilization is disposed in network and is shared VPN and nat address pool, and the route of address pool address is distributed among the VPN that need exchange visits, can conveniently realize the exchanging visit between VPN, and configuration, management are simply, and fail safe is higher.
Description of drawings
The networking schematic diagram of Fig. 1 for exchanging visits between many VPN in the prior art;
Fig. 2 is for realizing method embodiment one flow chart of exchanging visit by NAT between VPN of the present invention;
Fig. 3 is for realizing method embodiment two flow charts of exchanging visit by NAT between VPN of the present invention;
Fig. 4 is for realizing the method embodiment two networking schematic diagrames of exchanging visit by NAT between VPN of the present invention;
Fig. 5 implements illustration for the present invention realizes the NAT device of exchanging visits between VPN.
Embodiment
In conjunction with the accompanying drawings the present invention is further set forth with specific embodiment below.
The present invention discloses the method that realizes exchanging visit between a kind of VPN by NAT, and one embodiment may further comprise the steps as shown in Figure 2:
VPN and corresponding nat address pool are shared in S201, configuration, and the routing iinformation of this nat address pool is distributed to each VPN.
For realizing realizing exchanging visits by the NAT conversion between VPN, must there be the address pool of conversion.Embodiments of the invention at first are provided with a shared VPN in network, this VPN can be a VPN network that has true computer, also can be virtual VPN; And then dispose one or more address pool for sharing VPN, i.e. nat address pool.The address pool of configuration comprises the address pool of source address conversion and the address pool of destination address conversion, and no matter is static conversion or dynamic mapping, and the outer net address after the VPN conversion all belongs to this shared VPN.At last, need routing iinformation with this nat address pool be distributed to need in the network each VPN of exchanging visits, so that other VPN main frame can be routed to this nat address pool and wherein outer net IP address is conducted interviews, the routing iinformation of above-mentioned nat address pool can be this shared VPN the address pool address route or dispose the route of the NAT device of this address pool.
S202, when source VPN initiates the packet visit, carry out the NAT conversion of source address and/or destination address according to nat address pool.
In nat address pool through shared VPN of step S201 configuration and correspondence, and after the route of address pool address is distributed to each VPN, when a VPN in the network initiates when the packet of other VPN is visited, will be routed to the NAT device, if disposed the conversion of source address in the NAT rule, then the source address of the packet that meets the NAT rule is changed, from the nat address pool of affiliated shared VPN, distributed an available address for the VPN that initiates visit; The conversion whether continuation has disposed the destination address of shared VPN correspondence simultaneously according to the NAT rule judgment, if carry out the NAT conversion of destination address, the while can obtain the affiliated purpose VPN in address after the destination address conversion.Above-mentionedly source address and destination address are all carried out the NAT conversion be applicable to that the internal host between VPN uses private network IP separately to exchange visits, if exist a main frame to use the public network IP accesses network in the main frame of exchanging visits, then only need carry out the conversion of source address or destination address; If both sides all use the public network IP accesses network, then need not to use the described NAT conversion of present embodiment.In addition, the above-mentioned source address and/or the conversion of destination address also may comprise the conversion of source port and/or destination interface, and concrete enforcement will be described in subsequent embodiment three.
S203, according to destination address or the conversion after destination address determine purpose VPN.
By step S201 as can be known, the nat address pool of configuration comprises pond, source address reference address and pond, destination address reference address, if carried out NAT conversion among the step S202 according to this pond, destination address reference address, then can be according to the purpose VPN of the forwarding of the destination address specified data bag after the conversion; If the destination address in the packet need not to carry out the NAT conversion, then the destination address that can directly carry according to packet after the NAT conversion of carrying out source address determines to carry out the purpose VPN of routing forwarding.
S204, in purpose VPN, carry out the routing forwarding of packet.
After obtaining purpose VPN by step S203, the forwarding route that can in the routing table under this purpose VPN, transmit with the destination address inquiry after destination address or the conversion, thus carry out the routing forwarding of packet.
The method embodiment two that realize to exchange visits by NAT between VPN of the present invention as shown in Figure 3, its step is described as follows, and is described in conjunction with performance in detail:
VPN and corresponding nat address pool are shared in S301, configuration, and the routing iinformation of this nat address pool is distributed to each VPN.
This step is identical with step S201 among the embodiment one, for realizing the NAT conversion, must reach affiliated shared VPN in the configuration address pond, and address pool address or the route that disposes the NAT device of this address pool be distributed to need each VPN of exchanging visits in the network, so that the main frame among those VPN can conduct interviews to the public network IP address in the address pool.
S302, the NAT rule is configured.
In the practical application, the VPN that need exchange visits may only need visit inner separately part main frame or service, for the consideration of fail safe or authority, to other main frames among those VPN, the conversion that then need not to dispose NAT; In addition, also can exist among the VPN some itself use public network IP address to conduct interviews or by the accessed main frame of network to network, when those main frames are exchanged visits, conversion when then need not to carry out source address and destination address, and only need carry out the once conversion of address.Main frame carries out the authority or the needs of NAT conversion among the above-mentioned VPN, can realize by in advance the NAT rule being provided with.Simultaneously, for the address of avoiding the NAT conversion clashes, the NAT device may be that different VPN distributes different address pool according to the needs of user capture service, and the affiliated address pool when therefore visiting VPN and carrying out the NAT conversion also can set in advance by the NAT rule.
Integrating step S301, S302 as shown in Figure 4, carry out NAT with the 10.10.0.1 of VPN 41 to the 10.10.0.1 visit of VPN 42 and are transformed to example.At first be provided with and share VPN 44 by NAT device 43, and the NAT rule that configuration VPN 41 all external calling parties all need to carry out the NAT conversion on VPN 44, and the source address reference address pond 60.0.0.1~60.0.0.32 of configuration NAT conversion, and the static destination address conversion (internal server) of VPN 42, be about to VPN 44:60.0.1.1 and be mapped to VPN 42:10.10.0.1.Route with VPN 44 is incorporated into VPN 41 and VPN 42 respectively then, thereby just has the route of address pool 60.0.0.1~60.0.0.32 and 60.0.1.1 in VPN41 and VPN 42.
When S303, VPN initiated the packet visit, whether the NAT device carried out the NAT conversion according to the NAT rule judgment, if then change step S304.
For the consideration that fail safe or authority require, may exist among the VPN to need not main frame that outer net is conducted interviews, therefore when receiving the packet that VPN initiates, need whether needs carry out the NAT conversion according to default NAT rule judgment.
S304, obtain nat address pool, carry out the NAT conversion of source address according to the NAT rule.
By step S302 as can be known, the NAT device may be that different VPN is distributed different nat address pools according to the user capture situation, and therefore after determining to carry out the NAT conversion, the NAT rule is determined the nat address pool of conversion For further information; According to the source address conversion configurations in the address pool source address of packet is carried out the NAT conversion again, from the nat address pool of affiliated shared VPN, distribute an available address, the source address after obtaining changing.
S305, carry out the NAT conversion of destination address, the destination address after obtaining changing and under purpose VPN.
S306, in purpose VPN, carry out the routing forwarding of packet.
Step S202~S204 is similar among step S305, S306 and the embodiment one, after the destination address of packet changed, the forwarding route of transmitting with the inquiry of the destination address after the conversion in the routing table under purpose VPN, thus packet is forwarded to main frame corresponding with destination address among the purpose VPN.
Integrating step S303~S305, continue as shown in Figure 4, when the user 10.10.0.1 of VPN 41 initiates visit to 60.0.1.1, can be routed to NAT device 43, NAT device 43 is 60.0.0.1~60.0.0.32 according to the address pool that the NAT rule obtains source address NAT conversion, from the untapped address 60.0.0.1 of address pool address assignment, the shared VPN that obtains address pool simultaneously is VPN 44; Continuing and obtaining transformation result with the static destination address map table (internal server table) in VPN 44 and the address 60.0.1.1 inquiry nat address pool is VPN 42:10.10.0.1, and VPN 42 is purpose VPN; Source address 10.10.0.1 is replaced to 60.0.0.1 after the conversion, destination address 60.0.1.1 is replaced to 10.10.0.1 after the conversion; Again in purpose VPN 42 with the 10.10.0.1 table of query and routing, packet is forwarded to the 10.10.0.1 of VPN 42.
In addition; during above-mentioned embodiment in conjunction with Fig. 4 describes; use the source address conversion of address pool 60.0.0.1~60.0.0.32 to be dynamic NAT conversion; and the destination address that has disposed internal server 60.0.1.1 is static conversion; need to prove; the destination address conversion also can adopt address pool to carry out dynamic translation; then must dynamically resolve scheme in conjunction with the address of similar domain name mapping in the prior art this moment; because it is not essential features of the present invention place; realize again comparatively complicated; and the address transition after dynamically resolving still shows as the static internal server mapping that is similar to present embodiment; therefore do not given unnecessary details; the conversion of same source address also can be adopted the configuration of static mappings, and above-mentioned variation should be the easy full of beard of those of ordinary skills and reaches, so also should fall within the scope of protection of the present invention.
S307, set up NAT conversational list and the reverse conversational list of NAT according to the Route Distinguisher of packet.
After exchanging visit between VPN is successfully set up and is finished the routing forwarding of packet, can set up NAT conversational list and reverse conversational list according to the Route Distinguisher of packet, can finish the routing forwarding of follow-up and reverse data bag between identical VPN same host according to this conversational list.Wherein, Route Distinguisher can include but not limited to: the destination address after the source address after source VPN number, source address, conversion, destination address, the conversion and purpose VPN number, in addition, the reverse Route Distinguisher of setting up the reverse conversational list of NAT can also replace destination address and purpose VPN number for VPN number with sharing, and can finish the reverse data bag routing forwarding of purpose VPN to source VPN equally.
S308, carry out the forwarding of follow-up forward and reverse data bag respectively according to NAT conversational list and the reverse conversational list of NAT.
As described in step S307; for accelerating the speed of NAT conversion; usually can set up NAT conversational list and the reverse conversational list of NAT according to Route Distinguisher such as packet entrained source VPN number, source address, destination address and purpose VPN numbers; if thereby follow-up forward and reverse data bag can mate the NAT session entry; then can directly carry out address transition, need not to carry out aforesaid step according to conversational list.Deletion as for list item then can be finished by aging mechanism, deletes from the NAT device through being about to the NAT conversational list after the specific time.
Integrating step S307, S308, continue as shown in Figure 4, can in NAT device 43, set up the corresponding relation NAT conversational list of VPN41+10.10.0.1+60.0.1.1 to VPN 42+60.0.0.1+10.10.0.1 and reverse VPN 42+10.10.0.1+60.0.0.1 to VPN 41+60.0.1.1+10.10.0.1, as shown in table 1.In addition, oppositely also can set up corresponding conversational list with VPN 44+10.10.0.1+60.0.0.1 to VPN1+60.0.1.1+10.10.0.1, as shown in table 2 promptly the use shared VPN number alternative reverse going into VPN number, and should share VPN number, obtain during route that can be by inquiring about reverse address pool address 60.0.0.1.
Table 1:
Direction Go into VPN Source IP Destination address Conversion back VPN Conversion back source address Conversion back destination address
Just
41 10.10.0.1 60.0.1.1 42 60.0.0.1 10.10.0.1
Instead 42 10.10.0.1 60.0.0.1 41 60.0.1.1 10.10.0.1
Table 2:
Direction Go into VPN Source IP Destination address Conversion back VPN Conversion back source address Conversion back destination address
Just
41 10.10.0.1 60.0.1.1 42 60.0.0.1 10.10.0.1
Instead 44 10.10.0.1 60.0.0.1 41 60.0.1.1 10.10.0.1
Because the foundation of NAT session entry, among the VPN 41 10.10.0.1 mail to reverse message that 10.10.0.1 among the subsequent packet of 10.10.0.1 among the VPN 42 and the VPN 42 mails to 10.10.0.1 among the VPN 41 directly the NAT conversational list of look-up table 1 change.
All be converted to description object among the invention described above embodiment one and the embodiment two with the NAT that directly carries out source address or destination address, exchanging visit between VPN also may need to carry out NAPT (Network Address Port Translation in actual applications, network address port is resolved), following embodiment three is described.
With 10.10.0.1:10000 among the VPN 51 10.10.0.1:21 among the VPN 52 is conducted interviews and to be example.
At first, be provided with and share VPN 53 and on VPN 53, dispose the NAT rule that VPN 51 all external calling parties all need to carry out the NAT conversion, the address pool 60.0.0.1~60.0.0.32 of NAT conversion is set simultaneously; And the internal server 60.0.1.1:21 of VPN 53 is mapped to 10.10.0.1:21 among the VPN 52; Route with VPN 53 is incorporated into VPN 51 and VPN 52 respectively then, thereby just has the route of address pool 60.0.0.1~60.0.0.32 and 60.0.1.1 in VPN 51 and VPN 52.
When the user 10.10.0.1:10000 of VPN 51 initiates visit to 60.0.1.1:21, table of query and routing in VPN51, can be forwarded to NAT device 53, NAT device 53 is 60.0.0.1~60.0.0.32 according to the address pool that the NAT rule that disposes obtains the NAT conversion, and alternative types is NAPT, and the address of usefulness and the shared VPN that port 60.0.0.1:12000 obtains address pool are not VPN 53 from the address pool address assignment then; Obtain the 10.10.0.1:21 that transformation result is VPN52 with VPN 53 and 60.0.1.1:21 inquiry internal server table; At last source address and port one 0.10.0.1:10000 are replaced to the 60.0.0.1:12000 after the conversion, destination address and port 60.0.1.1:21 are replaced with 10.10.0.1:21 after the conversion, again in purpose VPN 52 with the 10.10.0.1 table of query and routing, be forwarded to the 10.10.0.1 of VPN 52, thereby realize the routing forwarding of packet.
Forwarding for ease of follow-up forward and reverse data bag, carry out to set up the NAT conversational list according to the Route Distinguisher of packet equally after the NAPT conversion of VPN, as shown in table 3, can set up the corresponding relation NAT conversational list of VPN 51+10.10.0.1+10000+60.0.1.1+21 to VPN 52+60.0.0.1+12000+10.10.0.1 and reverse VPN 52+10.10.0.1+21+60.0.0.1+12000 to VPN 51+60.0.1.1+21+10.10.0.1+10000 among the embodiment three.Oppositely also can set up corresponding conversational list in addition to share VPN 53+10.10.0.1+21+60.0.0.1+12000 to VPN 51+60.0.1.1+21+10.10.0.1+10000, as shown in table 4, and should share VPN number, obtain during route that can be by inquiring about reverse address pool address 60.0.0.1.
Table 3:
Direction Go into VPN Source address Source port Destination address Destination interface Conversion back VPN Conversion back source address Conversion back source port Conversion back destination address Conversion back destination interface
Just 51 10.10.0.1 10000 60.0.1.1 21 52 60.0.0.1 12000 10.10.0.1 21
Instead 52 10.10.0.1 21 60.0.0.1 12000 51 60.0.1.1 21 10.10.0.1 10000
Table 4:
Direction Go into VPN Source address Source port Destination address Destination interface Conversion back VPN Conversion back source address Conversion back source port Conversion back destination address Conversion back destination interface
Just 51 10.10.0.1 10000 60.0.1.1 21 52 60.0.0.1 12000 10.10.0.1 21
Instead 53 10.10.0.1 21 60.0.0.1 12000 51 60.0.1.1 21 10.10.0.1 10000
After above-mentioned NAT conversational list was set up, 10.10.0.1 sent to the reverse message that 10.10.0.1 among the forward message of 10.10.0.1 among the VPN 52 and the VPN 52 sends to 10.10.0.1 among the VPN 51 and can directly change by inquiring about this conversational list among the VPN 51.
Respectively NAT and NAPT are described among embodiment one, two and the embodiment three, in the practical application, NAT and NAPT conversion can be carried out respectively in source address and destination address, and it also should fall into protection scope of the present invention.In addition, each embodiment of the invention described above is for making description comparatively clear, and only the situation of exchanging visits with two VPN is an example, and when exchanging visits between a plurality of VPN, advantage of the present invention will be more obvious, not given unnecessary details herein.
The present invention also discloses the NAT device of exchanging visits between a kind of VPN of realization, and one embodiment comprises and shares VPN dispensing unit 610, NAT converting unit 620 and purpose VPN determining unit 630 as shown in Figure 5.Wherein, share VPN dispensing unit 610 and be used to dispose the nat address pool of sharing VPN and correspondence; NAT converting unit 620 is used for when source VPN initiates the packet visit, carries out the NAT conversion of source address and/or destination address according to nat address pool; 630 destination address inquiry nat address pools according to destination address or after changing of purpose VPN determining unit are to determine to carry out the purpose VPN that packet is transmitted.
In the present embodiment, the NAT device also comprises conversational list unit 640, reverse conversational list unit 650 and regular dispensing unit 660.Wherein, conversational list unit 640 is used for setting up and storage NAT conversational list according to the Route Distinguisher of packet, realizing carrying out routing forwarding from the follow-up data bag of described source VPN according to the NAT conversational list, and this Route Distinguisher includes but not limited to: the destination address after the source address after source VPN number, source address, conversion, destination address, the conversion and purpose VPN number; And oppositely conversational list unit 650 is used for setting up and the reverse conversational list of storage NAT according to the reverse Route Distinguisher of packet, to realize carrying out reverse routing forwarding from the packet of purpose VPN according to the reverse conversational list of this NAT, and oppositely Route Distinguisher comprises: destination address, purpose VPN number, source VPN number and source address, or shared VPN number, source VPN number and source address.And regular dispensing unit 660 is connected with NAT converting unit 620, and it is used for the NAT rule is configured, and whether carries out the NAT conversion to determine source VPN, and further determines whether to carry out the NAT conversion of source address and/or destination address.
In addition, NAT converting unit 620 further comprises address transition subelement 621 and port translation subelement 622.Wherein, address transition subelement 621 carries out the NAT conversion of source address and/or destination address according to nat address pool; Port translation subelement 622 then further carries out the NAPT conversion of corresponding source port and/or destination interface according to nat address pool.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (14)

1, realize the method for exchanging visit between a kind of virtual private network by network address translation NAT, it is characterized in that, comprising:
VPN and corresponding nat address pool are shared in configuration, and the routing iinformation of described nat address pool is distributed to each VPN;
When source VPN initiates the packet visit, carry out the NAT conversion of source address and/or destination address according to described nat address pool, and determine purpose VPN according to the destination address after described destination address or the conversion;
In described purpose VPN, carry out the routing forwarding of packet.
2, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that described routing forwarding of carrying out packet also comprises afterwards:
Set up the NAT conversational list according to the Route Distinguisher of described packet, described Route Distinguisher comprises: source VPN number, source address, destination address and purpose VPN number;
Described source VPN directly carries out the routing forwarding of follow-up data bag according to described NAT conversational list.
3, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that described routing forwarding of carrying out packet also comprises afterwards:
Set up the reverse conversational list of NAT according to the reverse Route Distinguisher of described packet, described reverse Route Distinguisher comprises: destination address, purpose VPN number, source VPN number and source address, or shared VPN number, source VPN number and source address;
Described purpose VPN carries out the routing forwarding of reverse data bag to described source VPN according to the reverse conversational list of described NAT.
4, as realizing it is characterized in that the method for exchanging visits by NAT between VPN as described in claim 2 or 3, described Route Distinguisher or oppositely Route Distinguisher also comprise: the destination address after source address after the conversion and/or the conversion.
5, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that VPN is shared in described configuration and nat address pool also comprises: the NAT rule is configured;
When then described source VPN initiates the packet visit, whether carry out the NAT conversion according to the described source VPN of described NAT rule judgment, if the described NAT rule of then further inquiry need to determine the nat address pool of use, then carry out the NAT conversion of described source address and/or destination address afterwards according to Query Result.
6, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that described routing forwarding of carrying out packet in purpose VPN further comprises:
According to described destination address or the routing table of inquiring about described purpose VPN of the destination address after carrying out NAT conversion;
Carry out the forwarding of described packet according to the forwarding route that inquiry obtains.
7, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that the described NAT conversion of carrying out source address and/or destination address also comprises:
Carry out the network address port of source port and/or destination interface according to described nat address pool and resolve the NAPT conversion;
The routing forwarding of then carrying out packet afterwards according to the destination address after destination address and destination interface or the NAPT conversion and destination interface.
8, realize the method for exchanging visit according to claim 1 between VPN by NAT, it is characterized in that, described nat address pool comprises: pond, source address reference address and pond, destination address reference address, described source/pond, destination address reference address is static translated address pond or dynamic translation address pool.
The NAT device of 9, exchanging visits between a kind of VPN of realization is characterized in that, comprises sharing VPN dispensing unit, NAT converting unit and purpose VPN determining unit,
Described shared VPN dispensing unit is used to dispose the nat address pool of sharing VPN and correspondence;
Described NAT converting unit when source VPN initiates the packet visit, is carried out the NAT conversion of source address and/or destination address according to described nat address pool;
Described purpose VPN determining unit is inquired about described nat address pool according to the destination address after described destination address or the conversion, to determine to carry out the purpose VPN that packet is transmitted.
10, the NAT device as realizing as described in the claim 9 exchanging visits between VPN is characterized in that, also comprises conversational list unit and reverse conversational list unit,
Described conversational list unit, be used for setting up and storage NAT conversational list, carry out comprising according to described NAT conversational list realizing: source VPN number, source address, destination address and purpose VPN number from the routing forwarding and the described Route Distinguisher of the follow-up data bag of described source VPN according to the Route Distinguisher of packet;
Described reverse conversational list unit, be used for setting up and the reverse conversational list of storage NAT according to the reverse Route Distinguisher of packet, to realize carrying out reverse routing forwarding from the packet of described purpose VPN according to the reverse conversational list of described NAT, and described reverse Route Distinguisher comprises: destination address, purpose VPN number, source VPN number and source address, or shared VPN number, source VPN number and source address.
11, the NAT device as realizing as described in the claim 10 exchanging visits between VPN is characterized in that, described Route Distinguisher or oppositely Route Distinguisher also comprise: the destination address after source address after the conversion and/or the conversion.
12, the NAT device as realizing as described in the claim 9 exchanging visits between VPN is characterized in that, also comprises regular dispensing unit, be connected with described NAT converting unit,
Described regular dispensing unit is used for the NAT rule is configured, and whether carries out the NAT conversion to determine described source VPN, and further determines whether to carry out the NAT conversion of source address and/or destination address.
13, the NAT device as realizing as described in the claim 9 exchanging visits between VPN is characterized in that described NAT converting unit further comprises address transition subelement and port translation subelement,
Described address transition subelement carries out the NAT conversion of source address and/or destination address according to described nat address pool;
Described port translation subelement further carries out the NAPT conversion of corresponding source port and/or destination interface according to described nat address pool.
14, realize the NAT device of exchanging visits between VPN as described in each as claim 9 to 13, it is characterized in that, described nat address pool comprises: pond, source address reference address and pond, destination address reference address, described source/pond, destination address reference address is static translated address pond or dynamic translation address pool.
CN200710090548XA 2007-04-11 2007-04-11 Method and device for implementing inter-access between virtual private networks by conversion of network addresses Expired - Fee Related CN101286919B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200710090548XA CN101286919B (en) 2007-04-11 2007-04-11 Method and device for implementing inter-access between virtual private networks by conversion of network addresses
RU2008113089A RU2406247C2 (en) 2007-04-11 2008-04-08 Method and device for providing access between virtual private networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200710090548XA CN101286919B (en) 2007-04-11 2007-04-11 Method and device for implementing inter-access between virtual private networks by conversion of network addresses

Publications (2)

Publication Number Publication Date
CN101286919A true CN101286919A (en) 2008-10-15
CN101286919B CN101286919B (en) 2010-11-10

Family

ID=40058898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200710090548XA Expired - Fee Related CN101286919B (en) 2007-04-11 2007-04-11 Method and device for implementing inter-access between virtual private networks by conversion of network addresses

Country Status (2)

Country Link
CN (1) CN101286919B (en)
RU (1) RU2406247C2 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291732A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Processing method, device and system for transmission gap style sequences
CN101800690B (en) * 2009-02-05 2012-08-15 北京启明星辰信息技术股份有限公司 Method and device for realizing source address conversion by using address pool
CN103259724A (en) * 2012-02-15 2013-08-21 中兴通讯股份有限公司 Method, system and client edge device for implementing MPLS VPN
WO2016078375A1 (en) * 2014-11-21 2016-05-26 中兴通讯股份有限公司 Data transmission method and device
CN110177047A (en) * 2019-05-27 2019-08-27 北京字节跳动网络技术有限公司 File transmitting method, device, electronic equipment and computer readable storage medium
CN110383796A (en) * 2016-12-20 2019-10-25 华为技术有限公司 The system and method for pseudo- tunnel information are transmitted during conversation initialization
CN114448667A (en) * 2021-12-23 2022-05-06 天翼云科技有限公司 Data transmission method, device and equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1199405C (en) * 2002-07-23 2005-04-27 华为技术有限公司 Enterprise external virtual special network system and method using virtual router structure
CN1780249A (en) * 2004-11-25 2006-05-31 华为技术有限公司 Method for realizing different third layer virtual personnel interconnection
CN100423512C (en) * 2005-06-17 2008-10-01 杭州华三通信技术有限公司 Control method for using resource of network address transition equipment of virtual proviate network method for controlling usage of NAT equipment resources of VPN
CN100463452C (en) * 2006-03-21 2009-02-18 杭州华三通信技术有限公司 VPN data forwarding method and VPN device for data forwarding

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101800690B (en) * 2009-02-05 2012-08-15 北京启明星辰信息技术股份有限公司 Method and device for realizing source address conversion by using address pool
CN102291732A (en) * 2010-06-18 2011-12-21 中兴通讯股份有限公司 Processing method, device and system for transmission gap style sequences
CN102291732B (en) * 2010-06-18 2015-04-01 中兴通讯股份有限公司 Processing method, device and system for transmission gap style sequences
CN103259724A (en) * 2012-02-15 2013-08-21 中兴通讯股份有限公司 Method, system and client edge device for implementing MPLS VPN
CN103259724B (en) * 2012-02-15 2017-12-29 中兴通讯股份有限公司 A kind of MPLS VPN implementation method, system and customer edge devices
WO2016078375A1 (en) * 2014-11-21 2016-05-26 中兴通讯股份有限公司 Data transmission method and device
CN110383796A (en) * 2016-12-20 2019-10-25 华为技术有限公司 The system and method for pseudo- tunnel information are transmitted during conversation initialization
CN110383796B (en) * 2016-12-20 2021-08-03 华为技术有限公司 System and method for transmitting pseudo tunnel information during session initialization
CN110177047A (en) * 2019-05-27 2019-08-27 北京字节跳动网络技术有限公司 File transmitting method, device, electronic equipment and computer readable storage medium
CN110177047B (en) * 2019-05-27 2022-03-04 北京字节跳动网络技术有限公司 Message sending method, device, electronic equipment and computer readable storage medium
CN114448667A (en) * 2021-12-23 2022-05-06 天翼云科技有限公司 Data transmission method, device and equipment
CN114448667B (en) * 2021-12-23 2023-08-08 天翼云科技有限公司 Data transmission method, device and equipment

Also Published As

Publication number Publication date
CN101286919B (en) 2010-11-10
RU2406247C2 (en) 2010-12-10
RU2008113089A (en) 2009-10-20

Similar Documents

Publication Publication Date Title
CN101286919B (en) Method and device for implementing inter-access between virtual private networks by conversion of network addresses
CN102025591B (en) Method and system for implementing virtual private network
CN102025589B (en) Method and system for realizing virtual private network
US7852861B2 (en) Dynamic system and method for virtual private network (VPN) application level content routing using dual-proxy method
US20120317252A1 (en) Method and system for address conflict resolution
US8788708B2 (en) Split-domain name service
JP2003188901A (en) System and method for communication
JP2003273935A (en) Network-connecting apparatus and method for providing direct connection between network devices in different private networks
JP2010103709A (en) Device, method and program for transferring packet, and communication device
CN102170380A (en) Method and device for accessing outer network from inner network
CN101197856A (en) IP address space planning-free and private domain name access method in VPN network
CN100525295C (en) A method for implementing communication between IPv4 network and IPv6 network
CN108063839A (en) A kind of method for accessing network and the device for accessing network
CN111884902A (en) VPN scene network shunting method and device
CN101908996A (en) Method for accessing private network and data transmission method, device and system
CN102891903A (en) NAT (Network Address Translation) converting method and equipment
EP3086512B1 (en) Implementation method and apparatus for vlan to access vf network and fcf
CN103428310A (en) Virtual IP (internal protocol) based non-HTTP (hyper text transport protocol) domain name guidance system and method
CN1863152B (en) Method for transmitting various messages between internal network users
JP3394727B2 (en) Method and apparatus for communication between networks
SE517217C2 (en) Method and system for communication between different networks
CN100359875C (en) Method for realizing backup and load shared equally based on proxy of address resolution protocol
CN106453399A (en) Method and system for domain name resolution service of user-oriented privacy protection
CN112887452B (en) Communication method and system between local area networks and NAT gateway
KR100355288B1 (en) Apparatus and method for providing service server functionality to the hosts of a private network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20101110